fix(api-docs): allow Scalar CDN in CSP for /api-docs

Scalar's reference UI (served by Nitro at /api-docs) loads its bundle from cdn.jsdelivr.net, which was blocked by the global script-src CSP. Add a scoped CSP variant that allows jsdelivr + Google Fonts for the docs route only; the rest of the app keeps the strict policy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: InfantLab

app/server/middleware/security-headers.ts

@@ -17,20 +17,37 @@ const CSP = [
   "frame-ancestors 'none'",
 ].join("; ");
 
+/**
+ * Relaxed CSP for /api-docs — Nitro's Scalar UI loads its bundle from
+ * cdn.jsdelivr.net and pulls fonts from Google Fonts. Kept scoped to the
+ * docs route so the rest of the app keeps the strict CSP above.
+ */
+const DOCS_CSP = [
+  "default-src 'self'",
+  "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net",
+  "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com",
+  "img-src 'self' data: https:",
+  "font-src 'self' data: https://fonts.gstatic.com https://cdn.jsdelivr.net",
+  "connect-src 'self' https://cdn.jsdelivr.net",
+  "frame-ancestors 'none'",
+].join("; ");
+
 export default defineEventHandler((event) => {
   // Skip API routes that return JSON — they don't need CSP
   if (event.path.startsWith("/api/")) {
     return;
   }
 
+  const isDocs = event.path.startsWith("/api-docs");
+
   setResponseHeaders(event, {
     "X-Content-Type-Options": "nosniff",
     "X-Frame-Options": "DENY",
     "X-XSS-Protection": "0",
     "Referrer-Policy": "strict-origin-when-cross-origin",
     "Permissions-Policy":
       "camera=(), microphone=(self), geolocation=(), payment=()",
-    "Content-Security-Policy": CSP,
+    "Content-Security-Policy": isDocs ? DOCS_CSP : CSP,
     "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
   });
 });